From 5f29efd3f956dcc973e3a0db1f720cf38926b219 Mon Sep 17 00:00:00 2001 From: Vaishnav Gaikwad Date: Wed, 15 Jun 2022 15:36:46 +0530 Subject: [PATCH 1/3] update annotations and sonobuoy version --- packages/rancher-cis-benchmark/charts/Chart.yaml | 6 +++--- packages/rancher-cis-benchmark/charts/values.yaml | 4 ++-- packages/rancher-cis-benchmark/package.yaml | 2 +- release.yaml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/packages/rancher-cis-benchmark/charts/Chart.yaml b/packages/rancher-cis-benchmark/charts/Chart.yaml index 3049f3475..d5dcb9b97 100644 --- a/packages/rancher-cis-benchmark/charts/Chart.yaml +++ b/packages/rancher-cis-benchmark/charts/Chart.yaml @@ -2,7 +2,7 @@ annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: CIS Benchmark - catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.24.0-0' + catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.25.0-0' catalog.cattle.io/namespace: cis-operator-system catalog.cattle.io/os: linux catalog.cattle.io/permits-os: linux,windows @@ -12,11 +12,11 @@ annotations: catalog.cattle.io/type: cluster-tool catalog.cattle.io/ui-component: rancher-cis-benchmark apiVersion: v1 -appVersion: v2.0.5-rc2 +appVersion: v2.0.5-rc3 description: The cis-operator enables running CIS benchmark security scans on a kubernetes cluster icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg keywords: - security name: rancher-cis-benchmark -version: 2.0.5-rc2 +version: 2.0.5-rc3 diff --git a/packages/rancher-cis-benchmark/charts/values.yaml b/packages/rancher-cis-benchmark/charts/values.yaml index 8030e6330..91e812a90 100644 --- a/packages/rancher-cis-benchmark/charts/values.yaml +++ b/packages/rancher-cis-benchmark/charts/values.yaml @@ -8,10 +8,10 @@ image: tag: v1.0.9 securityScan: repository: rancher/security-scan - tag: v0.2.8-rc1 + tag: v0.2.8-rc2 sonobuoy: repository: rancher/mirrored-sonobuoy-sonobuoy - tag: v0.53.2 + tag: v0.56.7 resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/packages/rancher-cis-benchmark/package.yaml b/packages/rancher-cis-benchmark/package.yaml index 8104ee8af..58571e2fe 100644 --- a/packages/rancher-cis-benchmark/package.yaml +++ b/packages/rancher-cis-benchmark/package.yaml @@ -1,5 +1,5 @@ url: local -version: 2.0.5-rc2 +version: 2.0.5-rc3 additionalCharts: - workingDir: charts-crd crdOptions: diff --git a/release.yaml b/release.yaml index c72cbe06f..df3af4568 100644 --- a/release.yaml +++ b/release.yaml @@ -19,9 +19,9 @@ rancher-aks-operator-crd: rancher-csp-adapter: - 1.0.0+up1.0.0-rc2 rancher-cis-benchmark: -- 2.0.5-rc2 +- 2.0.5-rc3 rancher-cis-benchmark-crd: -- 2.0.5-rc2 +- 2.0.5-rc3 rancher-eks-operator: - 100.0.3+up1.1.4-rc2 rancher-eks-operator-crd: From 5ffef404e7b692098d3c22b291efc5525b59eaaa Mon Sep 17 00:00:00 2001 From: Vaishnav Gaikwad Date: Thu, 7 Jul 2022 17:19:38 +0530 Subject: [PATCH 2/3] remove older rc version --- .../rancher-cis-benchmark-crd-2.0.5-rc2.tgz | Bin 1467 -> 0 bytes .../rancher-cis-benchmark-2.0.5-rc2.tgz | Bin 5341 -> 0 bytes .../2.0.5-rc2/Chart.yaml | 10 -- .../2.0.5-rc2/README.md | 2 - .../2.0.5-rc2/templates/clusterscan.yaml | 148 ------------------ .../templates/clusterscanbenchmark.yaml | 54 ------- .../templates/clusterscanprofile.yaml | 36 ----- .../templates/clusterscanreport.yaml | 39 ----- .../2.0.5-rc2/Chart.yaml | 22 --- .../rancher-cis-benchmark/2.0.5-rc2/README.md | 9 -- .../2.0.5-rc2/app-readme.md | 15 -- .../2.0.5-rc2/templates/_helpers.tpl | 27 ---- .../2.0.5-rc2/templates/alertingrule.yaml | 14 -- .../templates/benchmark-aks-1.0.yaml | 8 - .../templates/benchmark-cis-1.5.yaml | 8 - .../templates/benchmark-cis-1.6.yaml | 8 - .../templates/benchmark-eks-1.0.1.yaml | 8 - .../templates/benchmark-gke-1.0.yaml | 8 - .../benchmark-k3s-cis-1.6-hardened.yaml | 8 - .../benchmark-k3s-cis-1.6-permissive.yaml | 8 - .../benchmark-rke-cis-1.5-hardened.yaml | 8 - .../benchmark-rke-cis-1.5-permissive.yaml | 8 - .../benchmark-rke-cis-1.6-hardened.yaml | 8 - .../benchmark-rke-cis-1.6-permissive.yaml | 8 - .../benchmark-rke2-cis-1.5-hardened.yaml | 8 - .../benchmark-rke2-cis-1.5-permissive.yaml | 8 - .../benchmark-rke2-cis-1.6-hardened.yaml | 8 - .../benchmark-rke2-cis-1.6-permissive.yaml | 8 - .../2.0.5-rc2/templates/cis-roles.yaml | 49 ------ .../2.0.5-rc2/templates/configmap.yaml | 18 --- .../2.0.5-rc2/templates/deployment.yaml | 55 ------- .../templates/network_policy_allow_all.yaml | 15 -- .../patch_default_serviceaccount.yaml | 29 ---- .../2.0.5-rc2/templates/rbac.yaml | 43 ----- .../templates/scanprofile-cis-1.5.yml | 9 -- .../templates/scanprofile-cis-1.6.yaml | 9 -- .../scanprofile-k3s-cis-1.6-hardened.yml | 9 -- .../scanprofile-k3s-cis-1.6-permissive.yml | 9 -- .../scanprofile-rke-1.5-hardened.yml | 9 -- .../scanprofile-rke-1.5-permissive.yml | 9 -- .../scanprofile-rke-1.6-hardened.yaml | 9 -- .../scanprofile-rke-1.6-permissive.yaml | 9 -- .../scanprofile-rke2-cis-1.5-hardened.yml | 9 -- .../scanprofile-rke2-cis-1.5-permissive.yml | 9 -- .../scanprofile-rke2-cis-1.6-hardened.yml | 9 -- .../scanprofile-rke2-cis-1.6-permissive.yml | 9 -- .../2.0.5-rc2/templates/scanprofileaks.yml | 9 -- .../2.0.5-rc2/templates/scanprofileeks.yml | 9 -- .../2.0.5-rc2/templates/scanprofilegke.yml | 9 -- .../2.0.5-rc2/templates/serviceaccount.yaml | 14 -- .../templates/validate-install-crd.yaml | 17 -- .../2.0.5-rc2/values.yaml | 49 ------ index.yaml | 40 ----- 53 files changed, 960 deletions(-) delete mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.5-rc2.tgz delete mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.5-rc2.tgz delete mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc2/Chart.yaml delete mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc2/README.md delete mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscan.yaml delete mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanbenchmark.yaml delete mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanprofile.yaml delete mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanreport.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/Chart.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/README.md delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/app-readme.md delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/_helpers.tpl delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/alertingrule.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-aks-1.0.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-cis-1.5.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-cis-1.6.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-eks-1.0.1.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-gke-1.0.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-k3s-cis-1.6-hardened.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-k3s-cis-1.6-permissive.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.5-hardened.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.5-permissive.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.6-hardened.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.6-permissive.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.5-hardened.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.5-permissive.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.6-hardened.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.6-permissive.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/cis-roles.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/configmap.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/deployment.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/network_policy_allow_all.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/patch_default_serviceaccount.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/rbac.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-cis-1.5.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-cis-1.6.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-k3s-cis-1.6-hardened.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-k3s-cis-1.6-permissive.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.5-hardened.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.5-permissive.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.6-hardened.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.6-permissive.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.5-hardened.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.5-permissive.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.6-hardened.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.6-permissive.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofileaks.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofileeks.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofilegke.yml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/serviceaccount.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/templates/validate-install-crd.yaml delete mode 100644 charts/rancher-cis-benchmark/2.0.5-rc2/values.yaml diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.5-rc2.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.5-rc2.tgz deleted file mode 100644 index eda11fbf37ce8b638af67b93ae4b90e9dc1153b8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1467 zcmV;s1w{HEiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI>(bK*7-&NIJ4bA85V93UOua@@6ZZ7-K0>GgS$H=v6xd8BoE zOsD_7BijkKu`vciu5;`QgCu_|+24LEt*t@wCF(vGrawo?mm%oKKG*)+=@K+KD+q&& z1I=|^cRU;>zpm?+f8CKcyci6<(a0TNdE=`KcQ78f!wcpf>UbB64S~LJ5B61F-2cQt zN<~0INi*p&#(^ME3x@+yfR0daIcgFQ0{scgxKcT6DSRL0guNjhI9AT)1z5F0{m zILN*9V0-)zTyHQa#=keX91qU%e+tV-4nzXK5lZ{dIFCOY8-h=R-lLHIgiT{ZDx9HF zvF7+5AA}T11cXT71A*0#G=6e~F%B1I9nn1#A-4k;TE$T!1i8-i`b3Br%eW;VLVSQeHERzI88(;$H`sGqEyS*1!FNNHGLt_6HQSsMhmT1Y}Y zRY4reY-WA-)hKxjw45-<5KwHK01VAyY3F&X)q@D|2Er8V`L5)ak`2kaQ&BObgTgbDlS-*gCHVhGQjDnfaE`|-==U7?w=NZV{rVvUnr zoN2+@s>h{{3V~JbW=zIGU>`&-iu1OyxIFa6eQOP0KXGgMr%=`32;Z;*YZ?iq)vT$C zB~^P#A*`S+5|J#My~)=BYMLD~(e3xb8dx8nj`h0fO8PW+f-q2Vtcn z)ch-Qsv%Hir{PMY6&N8an1eD7H(UEGr@r~-oR+R_Uvk$>It$_*L+=K^kqwRO3RdkO zb$8EP6LMkc)^${KCDR;U!9qb8R+6)cx>mXGHAs^nTaB*c+YWKk7}BY~KO-LqkMAo) zW9%;Is7^G3QS!Jxs@UDNk7U3RJ#3Ytoq__ihE=K07bXf|)p2%1t(D%EaOyR8E9VZ+ ziIxdR1E&`qsFZ!yxcn{8xcW5Fr977Rpj~3Cd3wb96(#DVO0tQ*Z7Y)Py*s9|We#r-a|$ESU+tfh2iN1^ex3n4$KwXFZGOQkIeferP4 z?`k+M)&DNNk$0~Dox+Y?|9c@!hlRj*&zMPfMMZG!^mR*v5ppM+)~!}g!hey>LPfCD zw?nBX6!Q0Yj#?t2$(~;U`BVLXUEtwc1AP5}9pHJwq?f0dmRvqTv{5nLVc>!8lJ`+N z`^=C2uB&Aw(sg>S-g19Va5suyAAF{b>ng65oG}7)hU_<^NjJ(TI z{`am%?m7RT!j7H)Gs1M3{qyh6Dsum`!|pTx_ayKyp?Uy3F`PLS82k)vo3#)tWkZxry^HFWo&?|laI~rb|>whP)pSFDLdd+5OALC2V#Ape`#Kz~eu|c2BS9PD%zV-^wcDA#f V?QB){UjP6A|Nkb)viHg!#~#`Hml3kE_bMD@m93(T4%wR=J5Gd?O;(OQvgO3V z;f(L2=lSQk|Gw_)`rMz_^}65J>*7oyX9E2@fB;CyN!Lu=S=Ug;AVOaHnUs~di@CIi zjk&yxv6YpKp|!WCldnsJg{hyiuB*2X=rAfOXi+XZj1Ywu=-i4D9D1kMjU2BEZ5`gk zv_`VIn}vq9m47j(F=*wk<&Pm!^$OvDUT{t-3XT1Qr#1TOC?Dk4j3m z|LS2eTb9isGkd`fYC$Xs4WD%dA3l|achyF2J|(9gY=8JBkoToDD1)B?6?;HmMjR~Q zm#G_&Bw3|Phc5DOm-~c*+++MrO(h@B&vayto<2+%iWK}FW5BLG`0G`3iWf#ephz6g z->J1jlTcc4wsr=Mj?Y}F3sHY3$%;4%R zxt!#%$k6;hSzKR3$8`26?h2mbPU&`DP-bQ=f_RdXC5Fk|+Dmz2G{qP!411I5QuB$QreNtg zoGpM&BAq`Qc6rZDRt!Lz2yia7_&{qi#{`03m_p%K0$8C64G{R-9qC^KZ1<=LDBr_B%B`kEY{yH~W$Sv>r(yOO&bMl+tD_3GD z^1nx>Ssd&ot-wq2XfA2^#`={|%(qPa>h=%iF`h1GF?yvxRD~GY_6R!EW_O;xj2Cgw zE)9ew{_ywc^tmYHQmPB*amUGQO#ikUv>+Fq49hOvOOnsgVQ;gqp?Ignz%k6R1fBuW ztR0hQrRvfds1+d)&MqqA^{`QwWR4@_-i()gW7P4N3TiQ1G-`V^4>~oJ#!Gb~xT(GT zepDruOU;_Fyy|P|)*&8>l{9`Xb-$O5VS53t&Kgxc%kxE1P>zkuoPpPZ`azM+0NaX( zC5@W)iU|uuk9D?sDj}ukj{{2HfIQzzkJq-}+v|Om9rPv<)I>&niDWpKVFQrL-p2pO z@@-N>;PnTNymP91LDMg8h%xjs`I1U}*%M+yz2M!S_Z_v!-}!WTYc0W))@E#5j-WEw zv^QskUFJ#4$B3wR_@*O!i6XaD)Kz^Y8tEuIXf+=zh^x;C)Hi~qq@}!E>^T1nCH~=Z zr!(bbOU3T$-kO}=ZZK7ptK8F>-=<)319{|dR$6?+7CFQ{w7AIGC<-rHk40&>y`p@F z%7rP3r~mxBXj3p89*z1vZIlM^(=TSRktOkit)+RC4qzc_Lse;|x4>^^Q zso_i`dNdKNsC-*E$)v!M=EqU_AQgqlFOJ5+m18yN4F>ALW0MbgM#+w$TdAfL`$NWd zl^kEadc0JcoT46Bcmw7~OYN-B=ssuGQ?`YYT8#k;N510(XhCq^d%W1IKgVp~Z}M-m zRCOz~kp22FNzGW4#^!o)DCGG0h$gGL{e;8Mf)IZWSim&Jl91xOKe#*+ zqJQ+H+i}BH>Yx@$w?7d?x}Yg5k;F#t1$`olym{d_7u13j`uKs#v+j{CKfifYB>-8d z^cw(?yxz;bdL|So;)yfCb``SoQZn*BB9FmD3v!f_I@R zT_*>p>>ryJde>-Ll>p#pd1aa@J(T}*RQrHdRwmYHR4AHLY-oA4qWL@N!A9SA4Z{ik z7lYKPc&AO}JklSugCuRVj?o@<66W9z0hb?m{R8DsQs6CQ+T6W+E86jVH^y7)F?DwR{RZZrL0F!5liP3t3R)w|NGgJ23I<${av(cm2L9f8 zk`8I+x99~fC(AKlQ7VA%HesYFY7GeY!f{$-#6Hd;z=H&cmos(aT>ue*3sbyJ&@W!z z0JC$ANQ11TVszTCsVqPN?Hz@MiITa%THm(;6v?QvKRJ5IpZ31boN0(;9gFXL+dLZLvI zEuxSTaGfNez-(Oa$-;ZClMax-RgS?g0-K?(z&|zr(&)e|c}a|o7S|!i=MLa%lmqb* zEpYG)cub-s?ehv?*ai?sp1`$27Q*~Tpg|qd!qyH!(f~Zafc*<-*>!$671qHcCTdz6 z~rnmzZ!I0O-`nWC++ke3xAf8k+RhXDwG(sj7~KV^p>t=1jD zEJ~PqM}HyIs;~6v4kW*Ba~KdyIKi;A^#|#dCfZE`GQHrXDa9wHRQ2I8`q9LiI0;v2 zdeS>U=BIe{M4XP()kviK)2aUT;_OQMX3gg3ANJPXY58gNVjq3$3rnCSO|;|3?$Zp^ z9rosS@@4YZa;hs+;xTVCh>*q)OjjDC|KlwB>A-g`G(#e2iJvb!8b$mVZMoeuqj%@= zcgORk_|d6j%D=39MhD$b(l#9JwKleEjc+Ah z0|~};-vyDMtdM{U|KS9o4ZTx<_iL-c!_D~Trpj~0^ghszf30lXBzHAxQds6rHSP;z zj+2oZ!7!c1(`nu16`?5*Q8m=4js2vIUXw-eSAmg7>RmTk=lP{bC7dXNJHhyN$@M1J z1OoX}!j2%LxYi4g39*1hNqU$} zta86oU|m;}RdT)kP26L_JEuc1BXe;?pienSPkPLqDQxDu`NSr@IVVf}c0Wb3Vde}} zN{e43D`1e4)OUz%JaIlq(%~+zxjsNpp+0ky?E09w_(xbpOi2mNVOaeG#KG}&Vt&h< z=>{}hwcCT%=oQ7sVRUx@)cxTYOpv0EOrT7?u_;pOEV*RbRUMBca-~>Uenv6B;|}TW z#NbB8&KC9%`6(mQV5s|>H(b`yNw_cTgFB?{MwY%RP(nweLI%?_E%*=oP6il2&qE;# zI&7Oo+cij8>sKN9IjE;UYnxLJ@~3Hctf38lq7z^T`vUvb$g9i!(}z3rHG@M3h;Roe zaAbEeRwA9gz&ll8ZE=Cy+%x7JUv2m4GdD7$er;K{c}{k@5+T@o)gV?)cTDkVe|&G za|CFfKgoWi{nDoiaw1(=7S8SRTM)=7&hwY(q)2-Tf1vh_?+P&d+G~jg7m@-E(^VVb z9F0rT?sm8Uo3QX!6s(~(0pjBJd@z{+8ELG4aIxd704nmnZ!%c(YMWx4^Vi?Yh`YQg z$t*G%myy0;m6lp4S6v_c3EGG~A)+G0p1si%s8~>Vg29I+T=!50V7t63H43o6MN~Uk znbNtXW0vp%ptA>L&ek++8sj==9PxJ5TZDEEtO(`JI86J8rKWt5bkd;io7=^yO0-it z0G)5s1gXMy(?V@=LD>uEXsZkS+os{Hg}E&HO0}}=jy0Vl@rHu+ymc3WPxEtadCmPR zzL8C%Cwe}jg@urr+==Hb&D+^7g~1sa2u+e*ePz-6&9BJMF8{i);8_T>oxN-@d#;mzxgc%MkoX5DEt26NWApC2+${rRwl6F> z%%b4@O}(MNu}j)*%CJn^MO}_^1Y2kTY@Kg7a+qx5F@IY?A$mvX@Zb&i&xq0p>6n3@ zr=sDk%LGPcR~Nt2G25DsTB_(d-cyZbHT~Z`p%cnIxmn@W{4!p@0*wRTGP^14XNe{s zueBuA&h7uyLBSsb?&o3dvLNs0)K>Mt)-mAQmYz3zd<~7U31Cq1bfg5}%OBBd{ytz% z@+b0j8$C6Xt8%3fy_0g`Qkk=qt$A}5FvAeJ0Fx)k!igNIaGac$1P1}wOB`qJ8(@%?F!$r56dpf;^yv8@A;^P4fNSS;K~ z7D8xSl&=~G-m7B=fu(@?FOO8qCo6J}gDMPBVxvbiI&2FB>w`6T;VN(hGZy?uEgnMi z&Hc9$4A8DszLS(V8gR>h4!5qkX6Oynh~NRY-$1T9wh!nN^BevNdVjQz>ItY-Zfd0Y!7zoR##==L6yEox5>KNCi z>wvzA{C|YJ`HzDCrUm77IGW`D-~Dt1X+r`+3FqlRMI$gP_zejoA`I#JMxs|I1#xZ0 zCx79#b-p2hu>edT=l*&6i1nbeGza@E9+&Dtg4-mZpkQFyGeqeBd}(@wD;a<LqE29G_+yLn|MgAkf!9SU5WDa?T0%W~5XJ!5YDMN%SYp8Y+ZTXs;Xa`u zke}ta3zhUIqO^f?FYJtV>-5U~A|yPH|5k^LN(d)dy9Nc(A>L<9&~v+7=SV zAT(_hhXm&faGbI7`-lgoJYokCekECdrS@fdW|`%u*@j!)=@sP{rP?KB2Zgs;;;HGD zq!_Yo@0w_tc2+<|pW*qW1UxtsH3_5@dJ%q1aI3g4MD2c?!GM@`SqC@r^)O0fTMX~! zb(WN`fgvHJJmv|34=C+;qRHT8dIrBHGI`Oc7@lj_Xz>*aPF$;ibM-!Zar(LP=4;^$&AU%9E)0@VcdAt;ZxV< zGA`ZiJuvUHa}Kdx-hAsxu%=}H_MV-{KQw^4YCB#kt;y!7S=)UuiiEA&E-v|wlw)`M zr?H9q6c)7GydrD2$Vb0cpgCCjBJbRv7M8{!oK#zMNdHRP7A0!N>fBj+h>7eYHi|?q z+Z=&JYegHgz+MjU=sIeNI~B-Mf4NtSAjBY5%XnS@U9Xe;#LSHkkCdRD*25*waBszf zZ!kboyC#W*P<}KoM>m1pt;)XZS?&g4rU8~{5!l^X^I4m~&cz_UrNdq)iRI1aOSxQ` zLaEv(p?3t^(^-#A~{V4!+|SZ3vLwMjdRmoStSP4z|Pb1r8^|`2n02rH)68gs|)bFFO^$# zH?16c@8gNo&(|RtFw&FzYm6eKb@Or>j=l@+P_hgG+EwM48I$wY$pNzSvbjjVjW3EIjBeh z9?G&BIo7`7uxdl2axS1j@%Dk_^6BHr-uoQ8RZ+v~E4B}(j5&}?D%|?-{qro0!@f50 zsL)OSSEy8#;Xy5EyNqU#vfunLmHil@cN)^RB5^RS=He{IrnFa~Cq&~US-N7VeV;8EjuPY7eU8;wrJu`1;YvO3_%bbpQxi9HUO9X3a|Vfug_Il0$0OXS zO!JM&mW#J!RJjer$skJz~`N1fP}#hA}J? zY_`8DG9(h6dGnB1n0;S>WtTdNlOW~%f3kh%Bn^L_m^srd@X{|$%Zhp5cT5}IBTh-o z8!sRN_5x?yy!nEDDt79hOec4dWOz<`={nc0KVG@vwo+5`A^8~z zHP}dAj(eQ_;7b09DMhjFd>@S1v1bo2X1!bNoAD^4KD^YQk*XPn>mZty6Bk3oXT_c` zjCQrTy(lbg4wNkH=enJuw3lPPT9HRf5x4i%kw*~Y$#^l^*K1uvN9X+`2=g0#@=DuV mT$X)@*jpS}TEc~Gsaji@YTfQOxq|=OWCH7$?mW;O2=qTtq}2)l diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/Chart.yaml b/charts/rancher-cis-benchmark-crd/2.0.5-rc2/Chart.yaml deleted file mode 100644 index 8ac54062e..000000000 --- a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/hidden: "true" - catalog.cattle.io/namespace: cis-operator-system - catalog.cattle.io/release-name: rancher-cis-benchmark-crd -apiVersion: v1 -description: Installs the CRDs for rancher-cis-benchmark. -name: rancher-cis-benchmark-crd -type: application -version: 2.0.5-rc2 diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/README.md b/charts/rancher-cis-benchmark-crd/2.0.5-rc2/README.md deleted file mode 100644 index f6d9ef621..000000000 --- a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/README.md +++ /dev/null @@ -1,2 +0,0 @@ -# rancher-cis-benchmark-crd -A Rancher chart that installs the CRDs used by rancher-cis-benchmark. diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscan.yaml deleted file mode 100644 index 3cbb0ffcd..000000000 --- a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscan.yaml +++ /dev/null @@ -1,148 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusterscans.cis.cattle.io -spec: - group: cis.cattle.io - names: - kind: ClusterScan - plural: clusterscans - scope: Cluster - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .status.lastRunScanProfileName - name: ClusterScanProfile - type: string - - jsonPath: .status.summary.total - name: Total - type: string - - jsonPath: .status.summary.pass - name: Pass - type: string - - jsonPath: .status.summary.fail - name: Fail - type: string - - jsonPath: .status.summary.skip - name: Skip - type: string - - jsonPath: .status.summary.warn - name: Warn - type: string - - jsonPath: .status.summary.notApplicable - name: Not Applicable - type: string - - jsonPath: .status.lastRunTimestamp - name: LastRunTimestamp - type: string - - jsonPath: .spec.scheduledScanConfig.cronSchedule - name: CronSchedule - type: string - subresources: - status: {} - schema: - openAPIV3Schema: - properties: - spec: - properties: - scanProfileName: - nullable: true - type: string - scheduledScanConfig: - nullable: true - properties: - cronSchedule: - nullable: true - type: string - retentionCount: - type: integer - scanAlertRule: - nullable: true - properties: - alertOnComplete: - type: boolean - alertOnFailure: - type: boolean - type: object - type: object - scoreWarning: - enum: - - pass - - fail - nullable: true - type: string - type: object - status: - properties: - NextScanAt: - nullable: true - type: string - ScanAlertingRuleName: - nullable: true - type: string - conditions: - items: - properties: - lastTransitionTime: - nullable: true - type: string - lastUpdateTime: - nullable: true - type: string - message: - nullable: true - type: string - reason: - nullable: true - type: string - status: - nullable: true - type: string - type: - nullable: true - type: string - type: object - nullable: true - type: array - display: - nullable: true - properties: - error: - type: boolean - message: - nullable: true - type: string - state: - nullable: true - type: string - transitioning: - type: boolean - type: object - lastRunScanProfileName: - nullable: true - type: string - lastRunTimestamp: - nullable: true - type: string - observedGeneration: - type: integer - summary: - nullable: true - properties: - fail: - type: integer - notApplicable: - type: integer - pass: - type: integer - skip: - type: integer - total: - type: integer - warn: - type: integer - type: object - type: object - type: object diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanbenchmark.yaml deleted file mode 100644 index fd291f8c3..000000000 --- a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanbenchmark.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusterscanbenchmarks.cis.cattle.io -spec: - group: cis.cattle.io - names: - kind: ClusterScanBenchmark - plural: clusterscanbenchmarks - scope: Cluster - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.clusterProvider - name: ClusterProvider - type: string - - jsonPath: .spec.minKubernetesVersion - name: MinKubernetesVersion - type: string - - jsonPath: .spec.maxKubernetesVersion - name: MaxKubernetesVersion - type: string - - jsonPath: .spec.customBenchmarkConfigMapName - name: customBenchmarkConfigMapName - type: string - - jsonPath: .spec.customBenchmarkConfigMapNamespace - name: customBenchmarkConfigMapNamespace - type: string - subresources: - status: {} - schema: - openAPIV3Schema: - properties: - spec: - properties: - clusterProvider: - nullable: true - type: string - customBenchmarkConfigMapName: - nullable: true - type: string - customBenchmarkConfigMapNamespace: - nullable: true - type: string - maxKubernetesVersion: - nullable: true - type: string - minKubernetesVersion: - nullable: true - type: string - type: object - type: object diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanprofile.yaml deleted file mode 100644 index 1e75501b7..000000000 --- a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanprofile.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusterscanprofiles.cis.cattle.io -spec: - group: cis.cattle.io - names: - kind: ClusterScanProfile - plural: clusterscanprofiles - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - properties: - spec: - properties: - benchmarkVersion: - nullable: true - type: string - skipTests: - items: - nullable: true - type: string - nullable: true - type: array - type: object - type: object - additionalPrinterColumns: - - jsonPath: .spec.benchmarkVersion - name: BenchmarkVersion - type: string diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanreport.yaml deleted file mode 100644 index 6e8c0b7de..000000000 --- a/charts/rancher-cis-benchmark-crd/2.0.5-rc2/templates/clusterscanreport.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusterscanreports.cis.cattle.io -spec: - group: cis.cattle.io - names: - kind: ClusterScanReport - plural: clusterscanreports - scope: Cluster - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .spec.lastRunTimestamp - name: LastRunTimestamp - type: string - - jsonPath: .spec.benchmarkVersion - name: BenchmarkVersion - type: string - subresources: - status: {} - schema: - openAPIV3Schema: - properties: - spec: - properties: - benchmarkVersion: - nullable: true - type: string - lastRunTimestamp: - nullable: true - type: string - reportJSON: - nullable: true - type: string - type: object - type: object \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/Chart.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/Chart.yaml deleted file mode 100644 index 3049f3475..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: CIS Benchmark - catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.24.0-0' - catalog.cattle.io/namespace: cis-operator-system - catalog.cattle.io/os: linux - catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 - catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0' - catalog.cattle.io/release-name: rancher-cis-benchmark - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: rancher-cis-benchmark -apiVersion: v1 -appVersion: v2.0.5-rc2 -description: The cis-operator enables running CIS benchmark security scans on a kubernetes - cluster -icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg -keywords: -- security -name: rancher-cis-benchmark -version: 2.0.5-rc2 diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/README.md b/charts/rancher-cis-benchmark/2.0.5-rc2/README.md deleted file mode 100644 index 50beab58b..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Rancher CIS Benchmark Chart - -The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. - -# Installation - -``` -helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system -``` diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/app-readme.md b/charts/rancher-cis-benchmark/2.0.5-rc2/app-readme.md deleted file mode 100644 index 5e495d605..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/app-readme.md +++ /dev/null @@ -1,15 +0,0 @@ -# Rancher CIS Benchmarks - -This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). - -For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/cis-scans/v2.5/). - -This chart installs the following components: - -- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. -- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. -- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. -- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. -- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. - - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. - - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/_helpers.tpl b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/_helpers.tpl deleted file mode 100644 index b7bb00042..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/_helpers.tpl +++ /dev/null @@ -1,27 +0,0 @@ -{{/* Ensure namespace is set the same everywhere */}} -{{- define "cis.namespace" -}} - {{- .Release.Namespace | default "cis-operator-system" -}} -{{- end -}} - -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -kubernetes.io/os: linux -{{- end -}} diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/alertingrule.yaml deleted file mode 100644 index 1787c88a0..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/alertingrule.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.alerts.enabled -}} ---- -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: rancher-cis-pod-monitor - namespace: {{ template "cis.namespace" . }} -spec: - selector: - matchLabels: - cis.cattle.io/operator: cis-operator - podMetricsEndpoints: - - port: cismetrics -{{- end }} diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-aks-1.0.yaml deleted file mode 100644 index 1ac866253..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-aks-1.0.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: aks-1.0 -spec: - clusterProvider: aks - minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-cis-1.5.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-cis-1.5.yaml deleted file mode 100644 index 39e8b834a..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-cis-1.5.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: cis-1.5 -spec: - clusterProvider: "" - minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-cis-1.6.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-cis-1.6.yaml deleted file mode 100644 index 93ba064f4..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-cis-1.6.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: cis-1.6 -spec: - clusterProvider: "" - minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-eks-1.0.1.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-eks-1.0.1.yaml deleted file mode 100644 index d1ba9d295..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-eks-1.0.1.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: eks-1.0.1 -spec: - clusterProvider: eks - minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-gke-1.0.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-gke-1.0.yaml deleted file mode 100644 index 72122e8c5..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-gke-1.0.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: gke-1.0 -spec: - clusterProvider: gke - minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-k3s-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-k3s-cis-1.6-hardened.yaml deleted file mode 100644 index 3ca9b6009..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-k3s-cis-1.6-hardened.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: k3s-cis-1.6-hardened -spec: - clusterProvider: k3s - minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-k3s-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-k3s-cis-1.6-permissive.yaml deleted file mode 100644 index 6d4253c6e..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-k3s-cis-1.6-permissive.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: k3s-cis-1.6-permissive -spec: - clusterProvider: k3s - minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.5-hardened.yaml deleted file mode 100644 index b5627f966..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.5-hardened.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: rke-cis-1.5-hardened -spec: - clusterProvider: rke - minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.5-permissive.yaml deleted file mode 100644 index 95f80c0f0..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.5-permissive.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: rke-cis-1.5-permissive -spec: - clusterProvider: rke - minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.6-hardened.yaml deleted file mode 100644 index d75de8154..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.6-hardened.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: rke-cis-1.6-hardened -spec: - clusterProvider: rke - minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.6-permissive.yaml deleted file mode 100644 index 52428f4a7..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke-cis-1.6-permissive.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: rke-cis-1.6-permissive -spec: - clusterProvider: rke - minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.5-hardened.yaml deleted file mode 100644 index 3d83e9bd8..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.5-hardened.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: rke2-cis-1.5-hardened -spec: - clusterProvider: rke2 - minKubernetesVersion: "1.18.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.5-permissive.yaml deleted file mode 100644 index f66aa8f6e..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.5-permissive.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: rke2-cis-1.5-permissive -spec: - clusterProvider: rke2 - minKubernetesVersion: "1.18.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.6-hardened.yaml deleted file mode 100644 index 3593bf371..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.6-hardened.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: rke2-cis-1.6-hardened -spec: - clusterProvider: rke2 - minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.6-permissive.yaml deleted file mode 100644 index 522f846ae..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/benchmark-rke2-cis-1.6-permissive.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanBenchmark -metadata: - name: rke2-cis-1.6-permissive -spec: - clusterProvider: rke2 - minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/cis-roles.yaml deleted file mode 100644 index 23c93dc65..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/cis-roles.yaml +++ /dev/null @@ -1,49 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cis-admin -rules: - - apiGroups: - - cis.cattle.io - resources: - - clusterscanbenchmarks - - clusterscanprofiles - - clusterscans - - clusterscanreports - verbs: ["create", "update", "delete", "patch","get", "watch", "list"] - - apiGroups: - - catalog.cattle.io - resources: ["apps"] - resourceNames: ["rancher-cis-benchmark"] - verbs: ["get", "watch", "list"] - - apiGroups: - - "" - resources: - - configmaps - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cis-view -rules: - - apiGroups: - - cis.cattle.io - resources: - - clusterscanbenchmarks - - clusterscanprofiles - - clusterscans - - clusterscanreports - verbs: ["get", "watch", "list"] - - apiGroups: - - catalog.cattle.io - resources: ["apps"] - resourceNames: ["rancher-cis-benchmark"] - verbs: ["get", "watch", "list"] - - apiGroups: - - "" - resources: - - configmaps - verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/configmap.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/configmap.yaml deleted file mode 100644 index 3de10e55e..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/configmap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: default-clusterscanprofiles - namespace: {{ template "cis.namespace" . }} -data: - # Default ClusterScanProfiles per cluster provider type - rke: |- - <1.16.0: rke-profile-permissive-1.5 - >=1.16.0: rke-profile-permissive-1.6 - rke2: |- - <1.20.5: rke2-cis-1.5-profile-permissive - >=1.20.5: rke2-cis-1.6-profile-permissive - eks: "eks-profile" - gke: "gke-profile" - aks: "aks-profile" - k3s: "k3s-cis-1.6-profile-permissive" - default: "cis-1.6-profile" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/deployment.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/deployment.yaml deleted file mode 100644 index ab0bb3e24..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/deployment.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cis-operator - namespace: {{ template "cis.namespace" . }} - labels: - cis.cattle.io/operator: cis-operator -spec: - selector: - matchLabels: - cis.cattle.io/operator: cis-operator - template: - metadata: - labels: - cis.cattle.io/operator: cis-operator - spec: - serviceAccountName: cis-operator-serviceaccount - containers: - - name: cis-operator - image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' - imagePullPolicy: Always - ports: - - name: cismetrics - containerPort: {{ .Values.alerts.metricsPort }} - env: - - name: SECURITY_SCAN_IMAGE - value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} - - name: SECURITY_SCAN_IMAGE_TAG - value: {{ .Values.image.securityScan.tag }} - - name: SONOBUOY_IMAGE - value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} - - name: SONOBUOY_IMAGE_TAG - value: {{ .Values.image.sonobuoy.tag }} - - name: CIS_ALERTS_METRICS_PORT - value: '{{ .Values.alerts.metricsPort }}' - - name: CIS_ALERTS_SEVERITY - value: {{ .Values.alerts.severity }} - - name: CIS_ALERTS_ENABLED - value: {{ .Values.alerts.enabled | default "false" | quote }} - - name: CLUSTER_NAME - value: '{{ .Values.global.cattle.clusterName }}' - resources: - {{- toYaml .Values.resources | nindent 12 }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/network_policy_allow_all.yaml deleted file mode 100644 index 6ed5d645e..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/network_policy_allow_all.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-allow-all - namespace: {{ template "cis.namespace" . }} -spec: - podSelector: {} - ingress: - - {} - egress: - - {} - policyTypes: - - Ingress - - Egress diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/patch_default_serviceaccount.yaml deleted file mode 100644 index e78a6bd08..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/patch_default_serviceaccount.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: patch-sa - annotations: - "helm.sh/hook": post-install, post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation -spec: - template: - spec: - serviceAccountName: cis-operator-serviceaccount - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - restartPolicy: Never - containers: - - name: sa - image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] - args: ["-n", {{ template "cis.namespace" . }}] - - backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/rbac.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/rbac.yaml deleted file mode 100644 index 4ff88ea5f..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/rbac.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: rancher-cis-benchmark - app.kubernetes.io/instance: release-name - name: cis-operator-role -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: rancher-cis-benchmark - app.kubernetes.io/instance: release-name - name: cis-operator-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cis-operator-role -subjects: -- kind: ServiceAccount - name: cis-serviceaccount - namespace: {{ template "cis.namespace" . }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cis-operator-installer -subjects: -- kind: ServiceAccount - name: cis-operator-serviceaccount - namespace: {{ template "cis.namespace" . }} -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-cis-1.5.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-cis-1.5.yml deleted file mode 100644 index d69ae9dd5..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-cis-1.5.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: cis-1.5-profile - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: cis-1.5 diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-cis-1.6.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-cis-1.6.yaml deleted file mode 100644 index 8a8d8bf88..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-cis-1.6.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: cis-1.6-profile - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: cis-1.6 diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-k3s-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-k3s-cis-1.6-hardened.yml deleted file mode 100644 index 095e977ab..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-k3s-cis-1.6-hardened.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: k3s-cis-1.6-profile-hardened - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: k3s-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-k3s-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-k3s-cis-1.6-permissive.yml deleted file mode 100644 index 3b22a80c8..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-k3s-cis-1.6-permissive.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: k3s-cis-1.6-profile-permissive - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: k3s-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.5-hardened.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.5-hardened.yml deleted file mode 100644 index 4eabe158a..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.5-hardened.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: rke-profile-hardened-1.5 - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: rke-cis-1.5-hardened \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.5-permissive.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.5-permissive.yml deleted file mode 100644 index 1f78751d1..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.5-permissive.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: rke-profile-permissive-1.5 - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: rke-cis-1.5-permissive diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.6-hardened.yaml deleted file mode 100644 index d38febd80..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.6-hardened.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: rke-profile-hardened-1.6 - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: rke-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.6-permissive.yaml deleted file mode 100644 index d31b5b0d2..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke-1.6-permissive.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: rke-profile-permissive-1.6 - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: rke-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.5-hardened.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.5-hardened.yml deleted file mode 100644 index 83eb3131e..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.5-hardened.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: rke2-cis-1.5-profile-hardened - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: rke2-cis-1.5-hardened diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.5-permissive.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.5-permissive.yml deleted file mode 100644 index 40dc44bdf..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.5-permissive.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: rke2-cis-1.5-profile-permissive - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: rke2-cis-1.5-permissive diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.6-hardened.yml deleted file mode 100644 index c7ac7f949..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.6-hardened.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: rke2-cis-1.6-profile-hardened - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: rke2-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.6-permissive.yml deleted file mode 100644 index 96ca1345a..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofile-rke2-cis-1.6-permissive.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: rke2-cis-1.6-profile-permissive - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: rke2-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofileaks.yml deleted file mode 100644 index ea7b25b40..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofileaks.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: aks-profile - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: aks-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofileeks.yml deleted file mode 100644 index 3b4e34437..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofileeks.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: eks-profile - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: eks-1.0.1 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofilegke.yml deleted file mode 100644 index 2ddd0686f..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/scanprofilegke.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: cis.cattle.io/v1 -kind: ClusterScanProfile -metadata: - name: gke-profile - annotations: - clusterscanprofile.cis.cattle.io/builtin: "true" -spec: - benchmarkVersion: gke-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/serviceaccount.yaml deleted file mode 100644 index ec48ec622..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/serviceaccount.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: {{ template "cis.namespace" . }} - name: cis-operator-serviceaccount ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: {{ template "cis.namespace" . }} - labels: - app.kubernetes.io/name: rancher-cis-benchmark - app.kubernetes.io/instance: release-name - name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/templates/validate-install-crd.yaml deleted file mode 100644 index 562295791..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/templates/validate-install-crd.yaml +++ /dev/null @@ -1,17 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -# {{- $found := dict -}} -# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} -# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} -# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} -# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} -# {{- range .Capabilities.APIVersions -}} -# {{- if hasKey $found (toString .) -}} -# {{- set $found (toString .) true -}} -# {{- end -}} -# {{- end -}} -# {{- range $_, $exists := $found -}} -# {{- if (eq $exists false) -}} -# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} -# {{- end -}} -# {{- end -}} -#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc2/values.yaml b/charts/rancher-cis-benchmark/2.0.5-rc2/values.yaml deleted file mode 100644 index 8030e6330..000000000 --- a/charts/rancher-cis-benchmark/2.0.5-rc2/values.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# Default values for rancher-cis-benchmark. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -image: - cisoperator: - repository: rancher/cis-operator - tag: v1.0.9 - securityScan: - repository: rancher/security-scan - tag: v0.2.8-rc1 - sonobuoy: - repository: rancher/mirrored-sonobuoy-sonobuoy - tag: v0.53.2 - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} - -## List of node taints to tolerate (requires Kubernetes >= 1.6) -tolerations: [] - -affinity: {} - -global: - cattle: - systemDefaultRegistry: "" - clusterName: "" - kubectl: - repository: rancher/kubectl - tag: v1.20.2 - -alerts: - enabled: false - severity: warning - metricsPort: 8080 diff --git a/index.yaml b/index.yaml index db158b1c9..dee4eb894 100755 --- a/index.yaml +++ b/index.yaml @@ -2476,32 +2476,6 @@ entries: - assets/rancher-backup-crd/rancher-backup-crd-1.0.200.tgz version: 1.0.200 rancher-cis-benchmark: - - annotations: - catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: CIS Benchmark - catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.24.0-0' - catalog.cattle.io/namespace: cis-operator-system - catalog.cattle.io/os: linux - catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 - catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0' - catalog.cattle.io/release-name: rancher-cis-benchmark - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: rancher-cis-benchmark - apiVersion: v1 - appVersion: v2.0.5-rc2 - created: "2022-06-23T19:16:31.151561355+05:30" - description: The cis-operator enables running CIS benchmark security scans on - a kubernetes cluster - digest: 54e7f86cbcb73c8168e62908428f301ae0b85fadc6e1a497d76ed5bfaa7556b3 - icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg - keywords: - - security - name: rancher-cis-benchmark - urls: - - assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.5-rc2.tgz - version: 2.0.5-rc2 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher @@ -2765,20 +2739,6 @@ entries: - assets/rancher-cis-benchmark/rancher-cis-benchmark-1.0.100.tgz version: 1.0.100 rancher-cis-benchmark-crd: - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/hidden: "true" - catalog.cattle.io/namespace: cis-operator-system - catalog.cattle.io/release-name: rancher-cis-benchmark-crd - apiVersion: v1 - created: "2022-06-23T19:16:31.157730516+05:30" - description: Installs the CRDs for rancher-cis-benchmark. - digest: ef8be19aeb29bad889d6326c4cd1f25ae123accc563469a3eb16516a9c0a54af - name: rancher-cis-benchmark-crd - type: application - urls: - - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.5-rc2.tgz - version: 2.0.5-rc2 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" From 14054ebc91fab270f0d77f0895496b7f4e899ed0 Mon Sep 17 00:00:00 2001 From: Vaishnav Gaikwad Date: Thu, 7 Jul 2022 17:21:23 +0530 Subject: [PATCH 3/3] make charts --- .../rancher-cis-benchmark-crd-2.0.5-rc3.tgz | Bin 0 -> 1467 bytes .../rancher-cis-benchmark-2.0.5-rc3.tgz | Bin 0 -> 5343 bytes .../2.0.5-rc3/Chart.yaml | 10 ++ .../2.0.5-rc3/README.md | 2 + .../2.0.5-rc3/templates/clusterscan.yaml | 148 ++++++++++++++++++ .../templates/clusterscanbenchmark.yaml | 54 +++++++ .../templates/clusterscanprofile.yaml | 36 +++++ .../templates/clusterscanreport.yaml | 39 +++++ .../2.0.5-rc3/Chart.yaml | 22 +++ .../rancher-cis-benchmark/2.0.5-rc3/README.md | 9 ++ .../2.0.5-rc3/app-readme.md | 15 ++ .../2.0.5-rc3/templates/_helpers.tpl | 27 ++++ .../2.0.5-rc3/templates/alertingrule.yaml | 14 ++ .../templates/benchmark-aks-1.0.yaml | 8 + .../templates/benchmark-cis-1.5.yaml | 8 + .../templates/benchmark-cis-1.6.yaml | 8 + .../templates/benchmark-eks-1.0.1.yaml | 8 + .../templates/benchmark-gke-1.0.yaml | 8 + .../benchmark-k3s-cis-1.6-hardened.yaml | 8 + .../benchmark-k3s-cis-1.6-permissive.yaml | 8 + .../benchmark-rke-cis-1.5-hardened.yaml | 8 + .../benchmark-rke-cis-1.5-permissive.yaml | 8 + .../benchmark-rke-cis-1.6-hardened.yaml | 8 + .../benchmark-rke-cis-1.6-permissive.yaml | 8 + .../benchmark-rke2-cis-1.5-hardened.yaml | 8 + .../benchmark-rke2-cis-1.5-permissive.yaml | 8 + .../benchmark-rke2-cis-1.6-hardened.yaml | 8 + .../benchmark-rke2-cis-1.6-permissive.yaml | 8 + .../2.0.5-rc3/templates/cis-roles.yaml | 49 ++++++ .../2.0.5-rc3/templates/configmap.yaml | 18 +++ .../2.0.5-rc3/templates/deployment.yaml | 55 +++++++ .../templates/network_policy_allow_all.yaml | 15 ++ .../patch_default_serviceaccount.yaml | 29 ++++ .../2.0.5-rc3/templates/rbac.yaml | 43 +++++ .../templates/scanprofile-cis-1.5.yml | 9 ++ .../templates/scanprofile-cis-1.6.yaml | 9 ++ .../scanprofile-k3s-cis-1.6-hardened.yml | 9 ++ .../scanprofile-k3s-cis-1.6-permissive.yml | 9 ++ .../scanprofile-rke-1.5-hardened.yml | 9 ++ .../scanprofile-rke-1.5-permissive.yml | 9 ++ .../scanprofile-rke-1.6-hardened.yaml | 9 ++ .../scanprofile-rke-1.6-permissive.yaml | 9 ++ .../scanprofile-rke2-cis-1.5-hardened.yml | 9 ++ .../scanprofile-rke2-cis-1.5-permissive.yml | 9 ++ .../scanprofile-rke2-cis-1.6-hardened.yml | 9 ++ .../scanprofile-rke2-cis-1.6-permissive.yml | 9 ++ .../2.0.5-rc3/templates/scanprofileaks.yml | 9 ++ .../2.0.5-rc3/templates/scanprofileeks.yml | 9 ++ .../2.0.5-rc3/templates/scanprofilegke.yml | 9 ++ .../2.0.5-rc3/templates/serviceaccount.yaml | 14 ++ .../templates/validate-install-crd.yaml | 17 ++ .../2.0.5-rc3/values.yaml | 49 ++++++ index.yaml | 40 +++++ 53 files changed, 960 insertions(+) create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.5-rc3.tgz create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.5-rc3.tgz create mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc3/Chart.yaml create mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc3/README.md create mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscan.yaml create mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanbenchmark.yaml create mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanprofile.yaml create mode 100644 charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanreport.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/Chart.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/README.md create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/app-readme.md create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/_helpers.tpl create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/alertingrule.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-aks-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-cis-1.5.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-eks-1.0.1.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-gke-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-k3s-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-k3s-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/cis-roles.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/configmap.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/deployment.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/network_policy_allow_all.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/patch_default_serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/rbac.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-cis-1.5.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-k3s-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-k3s-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.5-hardened.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.5-permissive.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.5-hardened.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.5-permissive.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofileaks.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofileeks.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofilegke.yml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/templates/validate-install-crd.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.5-rc3/values.yaml diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.5-rc3.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.5-rc3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..116abae0ae6b28469b33b960ac73edc4cbb8d6ae GIT binary patch literal 1467 zcmV;s1w{HEiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI>(bK*7-&NIJ4bA85V93UOua@@6ZZ7-K0>GgS$H=v6xd8BoE zOsD_7BijkKu`vciu5;`QgCu_|+24LEt*t@wCF(vGrawo?mm%oKKG*)+=@K+KD+q&& z1I=|^cRU;>zpm?+f8CKcyci6<@nAF@dSmy(9gN*8?}E99I^M-%L!d9*gMF13_dhX^ zQW20)(oA}caUclP!r?#^pd-{}k;R(QqvyO8$S8h9C$Gqb0KG z?7d+RN>^h!y(UMrig3apiUPrtyViSp_Uk#WGwN%8*?aA0+Q#bRpD>I9AT)1z5F0{m zILN*9V0-)zTyHQa#=keX9A2H{{}h&w9Eb#dBb4@^aUOp*HUysry+dtq1O?ptTuUpc2#hHp-L4y20X={yPU)9*Ln|QjD53(;-MXO_(BGhC0qC!F zLn|Pu=sH#Vc~E?uH;ULs*G||OSMEiKh9E4i_>bz&2H*&}WB3yNI6&VrY^vmgSU6lO zd6%^p$++3E;ljjoorQbGd>bov2^03uzv&RZ#1Ni4RfO{T_T!h!yFxQ#k+#{M#2P2L zIMaf)RgX&@6#}c=&6tdXz&?mv6z6SYae3&C`_>x1e&W{hPob*65x!vs)-)1It65VO zORDygLRdjtBqCWhdy}sN)HFL}qTBCh7MoCgj4>t?Q`fN~Sryf`x)GtR!a>b**yWYmg>Ewi;c>w;kf7F{D#}e?~qK9^Y4p z#@JoZQJrW6qvUaYRI$5jAIX3tde|yOI|T)34XaY0FH97`s^jd2S}VOR;nZvHR?Z!s z6D<>t22L+JP$~PYars-GarJ4UOL;8sLA%6O^Yn=ID@xQ!m1Glr+g2podv{Dzn^^bT z78T9_`$5=bzvrIpQB*vfU9L<{iu+w^k5BttSxf24jzZ&W7eaneYgzwWmr7d{0vqc8 z-qmnis{dVjL-$<&JB1y){`W$d4hwFbsTBjiptty`_0g#RL$g^FOQ zZ--J(DCF<)9JNG3lRduz@~8R%yTHS@2Kf2`JHYdVNiR<^ExCMxXrp4f!@vXGCGVql z_L(33U02IWr0eutz2*L#%1`EX{6n2z=r%k7b=*Sf~D(yVpPV9qAqa!Q#YzphR}e8h1*x-|jx&oNyn1g!r%5|JjG@_n$sEp?|QC zrtg0TL$CDx?`Y_q>whP)pSFDLdd+5OALC2V#Ape`#Kz~eu|c2BS9PD%zV-^wcDA#f V?QB){UjP6A|Nj$u{#pPu003bq(7*ry literal 0 HcmV?d00001 diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.5-rc3.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.5-rc3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..e87cd9cf879bd293f58fb994e630c699568e7773 GIT binary patch literal 5343 zcmV<56d>y#iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKDLa@#nPfByaQDY}&XR+1@``en&E)y`IVGQKU}CYh9--L0wY zlmnA332O@A0HC!xkKg5<<(}*c07+34W&Mam+dJ$^#S{rNfCfI@4S;M2!u&A`*Qe6G zM&^$vMBFsrjfqg+j7-88d!SaU)#@J~o4>7AtN6FwZ*^X@k30Q#@A$aWZ@p->d)-dw z1+?~2_&SQEBH~5so69OT?wJr_j4PrjXL8^G_(YMAk363!6{1IZlf;Umq3DoekYz7T7El?5Wact5!2!HGzl0ys0!q{0#MkKFqL7rc0lfOt z_t5q_ZLj6F;E(#Ur!QZXX4OT=i1;`F-4Gt3Ac_lD&ZNRgX%;RA5K<*5a~r2$HJbSq2^=FdDojHN;$eZpk(wq2S(?SzHKcf5Ym_KtV5y6FN# zBoY%Tmv(1qJ~fN9v~2BM#d%noET*o{ClP1J)GGEQqJK+ke%p3P6wQBjyq4E(~0f5_$>KA9j3 zfN`Z|CL{Fea0WrrJ6UcZEYJx;B)14kcL>oP;&Uc_%42C*`(sXhG@Yr&x)>Cm?L87o z4wU&qn*j;_m@wb|70T#StuB$>Qo-2-nUXN2Y78OOD&FwUs&WJ}_Q$&T50p`@8a+54 z>i&g*!<4XvmgKU<%(hmU$_;rK@+oB_!#$)-Cn3QZ$HqaiND4uH_hR^ zdv3@wBr9srS&j*Jj>iVGahP0idI8P|vVvZ?#X9mO=jCgTCR5<~R0`D;2a zUpo5MrMbg}89%J zAa`0`$8kuA!uEhQ_Q3##B$Q|{ev87?bV>xXBWHq2P+xxHLJi<;>uu|i4eK+Za{HfY z=jPQI!w7}+RJ5}zux|d>?Hm{E|H(=ox3|%TPDg78hZYcK!VTXP$vcH zk1>ctG(LkGbBTG5&QfohhpsU|Ip(%aF5IA2_W4<{R`SMk93*-54IB>9R|9B# zYzk+BiUdRv?ZYiEibOnc6JE*lWJ&JsE}I=LSr-rP?;Sm(7#KG&@rRA~Xci#f8xP#x zfW@V?=3M<0rjQX2K3MPZj0F+bZnWm$LS&ptpUT9!%(TqEkCIu3|M?;>xsk4(WN)to z*5SWX^#3|-{inu%1yn@$B4jdDzq5|YrBB#=Rel-Y$r#BHn)o-L?1Hy23G`fzviXEG zE4tD4+C8t;_;-QUv!KoKuT!+W-a+u+UB>@$jsGfWzxYqa$ZGtXMWGu0PlvX}f4?gH z_iFrCL5IM9e`oynYy4MCo8uo7|G&Mp23U{(ei8r2of`j@(0=isjgi$F0P7jRQ=-lB zKf1vR=l{KW{$C007yro^S&jbD4c6#?O0+rtZ@My_1Gr-%0%RC$rVQ5N|G2pR-|cm~ zHU6uh{o=oDjI34$H{AzaflkZo)ym+&v>X1-`_59*+l}@F*WGpu^#R zK1ON{@N{W&{EHh*_W%xW|NHIQ{#Qc##edltS&e>CPX->HcEkU{?SH3R+y6@FaQNTE z{?{7dv1u3lS1|wYx9k1?O6XAd-(>#34*m6R;NfXE{8wQA>+e4+p~K;SANIf20Eecn z@ZZ^O0bqOlcl#&x`~Q{D-toUYMjnKJ=Ry3xt?_?g+7bU-IRNYN-z(bxZo7W}rxH3K z{x@_0Y7Ow1v=jcfTmaa?{-3n!_kSv(gW-R}1%L<9U+@1NoOZEobV(GKe zn*t*)lznuI;#v;iOT!mP6gG~a5l2CC6<~<=Dk91sH;x)3RQl)C{)9$IrE2`LvYo{k znT58(mj;O@Q z;`AAgmfzVpSk3>jby!Wi(^~tV4u!+n|F*s^*#Azu-v6tF5*=-N`2&fH!I_s8b`qh? zEmx=8gz-uF&O^}VW*MIno)DqP!lWgEvjwPGgbwK0!vKDBjgtDK-7d6ykV%blQxFrD zK&SiD_iGdOE$dF6x1NX;*Eg5)W(6#z?w6;=8##am-pKT^R>>pXs>WzuJAIRwlw>jG zO;_JscVvw@AemrK`h*5NX@z#ft?xz^p-C`8x31Ae6yO!(wlrzu=uxiM3Kw3_A`#Vz&m)c1MJ z)W;>Exk&hj&`$E))Xr++@n6_rG;{08~u!;LQraFeQBeLnqjX>}eb z#EO2I`%fQ#`r)rX{d|ZvCPB^DwQr#Yn>H=wy`ov~&M&V{-=AH4zP$Qy_W9!c-R0G% zpDsQxbAGjMoVf`B$lJ3rnV=v}n(ppgQ2b{y2{Ufv?vnr4?bh)htD)k8Uee!`jg}VjKH5jt!ap!GG-E{nzhhX}hzAQN9RN@^ z5-5|^L30O-H|+TQJd4sr#B-a+T%Xy?$CmX|q;>c=i{6=|u;{dIssq;T|FqgCOW%Lj z_^*bF_`lZuJ;(fi@#_+#n?d19;s6xRj{|6oF`RgE+#GX$(-=U+rAp6_JF>sxXe3C0 z%gJ54+2UF-HwIvC%Gmc20}PJf8i!nIwHx_4g-#!_u9hqGn8G#y9DxC{{ z)DH978Lk;lmXdjGW2ZSw;_W5}%dDQ%7Sh@IM`QJjb~$SyN#05K`D8*gfW9=60&+Wu z&{!OAcAL>OOJBN?{{QYD4H7Fp(FraW#_wl-gX|xT1Q+Z`jAH4L?v8P&Rr} zLb*=rq^~bvcEEqXTl;^N(Ejn?uN43N8vox!+u*-E0`Rwg|JUsS0JZJkinho9w$Xn#!GF>J?;h9R|5Za3*#CZI=&$GgThlK1 z-!A&^F82SpRmcCWhAOfDRce6R{%=KF;=e2c@HfZ*?skjk{~ovN`2W?=p7Fo@b$mq| z0OgT~A6vRlpLWLo7K;FD@qb+0|3B{4=YLm22giS98vv_f4?nhqpEm7?|E*pC*vbCa z_^*Txg#XH404R?<{Mgcc`m{6t4{iVJ{l7}+;P`(G`(LjDY)o6=pWMi;U;Q_<4*#8# zV*KxRyHlV4Qwi-8|GDUN2gbTCsqH-*AwOZ-0{?h8{1@N+s(@ zF7E%gyY=~B)lebccj<@jMWk;Y>397H@x+%w`%7sJ{@dMN@%+C|r(gU3mC(y14A@A)>kt{d4mrPxBWOGnM56(XTx5y{H1xkW zZ=eP4{k`+j#2o#@kjE^5!S@hQU*#T1RO!P;(c5U|{EUW;Z?!|t?1Zx2StL%*?hG!> zi80Ih1z{ru?;VNAH4UkvD8189=ZXH4xs-GWV3pIL;zh+5H(-vwX@Yk3M44`q5UcI~cQ34SN zW;vFPJosdkCM5a<)EL3%LZFPe3FV@*fIlWeCE@#5i-qEgMSi*RC`pA9J2*#OceNp z!8Jm_r!3?oz`%2ymvC-%fsOp>eEs^>8Dlufv`Oi32CoUOjTdU2HRB+H%L<;U2{37R zK6bBEN9Fh@QRE6F!36iA1J>aGxLy4Iv)w!C*7&c4R^VT1=%=PO1N{QL4gC4g8t??z zu{QDWMYDSS4w=3+v$V)TL5H)B2p#UYkxDmFx-Vu42>aEL-b;jw@(0rzv|CK&L1K56PF z>5b-X$NN_knK=a2Xf%DNXUfk>C(%997RbYpPqh@ZUgHdzk^{$a;Y(iE%*!58HIA=M z(P^pqgm1uwB^^8_EYRH%l9>5p%0~bDKf35IT0|DarTodSF-e8noTq&Qiu2IwToE$~ z1Y}GV>b}(-sZcw6oSEh^9-!1uW?GJaSyJsDoDOxbTm3(zjLPwm9U}P_q{?3xwxs`8 zs(%+Q4OYCt*v4Kqc+z*% zRvf`}O#QKDt8dSZ-fcRiNZ_E2E@3kh7@H2MpLDF^Aa7^{l-ZIq1|F1+aRNh}X2+D2 zwE+BBDn6OV+_Yy}Fk4Q9fh{<#w~^aqf&nE8!j! zE5w{-FB9~lFOxD-T*D$!ZFATFkub$D)PHqmvrtm#tB43PL4`sl-S#c=omYKH!dft= zAqu6dc#+B7O?CS#S@7;i6ou5cl?+iy4QJCzl7YbtXyd?1e~dvK;*l9bQqQLBxiuD9 zd8m7ijp%)D6a-8OQ(Au3ex$h+H^9b_-lCo&8ZL!`Qy9r3!-%0B5y)gL&vBGUE%*yf? z22}HC>olE}lj$TLt3>2!x10t6)qF@8&K3nLQNdT6cwiO|zFLKV xU_+k6&!->WYs7{N({V1q2J&3{J@bWJtYRMRu1{|f*B|NpF>;6?z}004Sp{%`;Q literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc3/Chart.yaml b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/Chart.yaml new file mode 100644 index 000000000..d1ad06aee --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd +apiVersion: v1 +description: Installs the CRDs for rancher-cis-benchmark. +name: rancher-cis-benchmark-crd +type: application +version: 2.0.5-rc3 diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc3/README.md b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/README.md new file mode 100644 index 000000000..f6d9ef621 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/README.md @@ -0,0 +1,2 @@ +# rancher-cis-benchmark-crd +A Rancher chart that installs the CRDs used by rancher-cis-benchmark. diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscan.yaml new file mode 100644 index 000000000..3cbb0ffcd --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscan.yaml @@ -0,0 +1,148 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscans.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScan + plural: clusterscans + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.lastRunScanProfileName + name: ClusterScanProfile + type: string + - jsonPath: .status.summary.total + name: Total + type: string + - jsonPath: .status.summary.pass + name: Pass + type: string + - jsonPath: .status.summary.fail + name: Fail + type: string + - jsonPath: .status.summary.skip + name: Skip + type: string + - jsonPath: .status.summary.warn + name: Warn + type: string + - jsonPath: .status.summary.notApplicable + name: Not Applicable + type: string + - jsonPath: .status.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.scheduledScanConfig.cronSchedule + name: CronSchedule + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + scanProfileName: + nullable: true + type: string + scheduledScanConfig: + nullable: true + properties: + cronSchedule: + nullable: true + type: string + retentionCount: + type: integer + scanAlertRule: + nullable: true + properties: + alertOnComplete: + type: boolean + alertOnFailure: + type: boolean + type: object + type: object + scoreWarning: + enum: + - pass + - fail + nullable: true + type: string + type: object + status: + properties: + NextScanAt: + nullable: true + type: string + ScanAlertingRuleName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + nullable: true + properties: + error: + type: boolean + message: + nullable: true + type: string + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + lastRunScanProfileName: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + observedGeneration: + type: integer + summary: + nullable: true + properties: + fail: + type: integer + notApplicable: + type: integer + pass: + type: integer + skip: + type: integer + total: + type: integer + warn: + type: integer + type: object + type: object + type: object diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanbenchmark.yaml new file mode 100644 index 000000000..fd291f8c3 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanbenchmark.yaml @@ -0,0 +1,54 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanbenchmarks.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanBenchmark + plural: clusterscanbenchmarks + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.clusterProvider + name: ClusterProvider + type: string + - jsonPath: .spec.minKubernetesVersion + name: MinKubernetesVersion + type: string + - jsonPath: .spec.maxKubernetesVersion + name: MaxKubernetesVersion + type: string + - jsonPath: .spec.customBenchmarkConfigMapName + name: customBenchmarkConfigMapName + type: string + - jsonPath: .spec.customBenchmarkConfigMapNamespace + name: customBenchmarkConfigMapNamespace + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + clusterProvider: + nullable: true + type: string + customBenchmarkConfigMapName: + nullable: true + type: string + customBenchmarkConfigMapNamespace: + nullable: true + type: string + maxKubernetesVersion: + nullable: true + type: string + minKubernetesVersion: + nullable: true + type: string + type: object + type: object diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanprofile.yaml new file mode 100644 index 000000000..1e75501b7 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanprofile.yaml @@ -0,0 +1,36 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanprofiles.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanProfile + plural: clusterscanprofiles + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + skipTests: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + additionalPrinterColumns: + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string diff --git a/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanreport.yaml new file mode 100644 index 000000000..6e8c0b7de --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.5-rc3/templates/clusterscanreport.yaml @@ -0,0 +1,39 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanreports.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanReport + plural: clusterscanreports + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + reportJSON: + nullable: true + type: string + type: object + type: object \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/Chart.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/Chart.yaml new file mode 100644 index 000000000..d5dcb9b97 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.25.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark +apiVersion: v1 +appVersion: v2.0.5-rc3 +description: The cis-operator enables running CIS benchmark security scans on a kubernetes + cluster +icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg +keywords: +- security +name: rancher-cis-benchmark +version: 2.0.5-rc3 diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/README.md b/charts/rancher-cis-benchmark/2.0.5-rc3/README.md new file mode 100644 index 000000000..50beab58b --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/README.md @@ -0,0 +1,9 @@ +# Rancher CIS Benchmark Chart + +The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. + +# Installation + +``` +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +``` diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/app-readme.md b/charts/rancher-cis-benchmark/2.0.5-rc3/app-readme.md new file mode 100644 index 000000000..5e495d605 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/app-readme.md @@ -0,0 +1,15 @@ +# Rancher CIS Benchmarks + +This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/cis-scans/v2.5/). + +This chart installs the following components: + +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. + - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. + - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/_helpers.tpl b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/_helpers.tpl new file mode 100644 index 000000000..b7bb00042 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "cis.namespace" -}} + {{- .Release.Namespace | default "cis-operator-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/alertingrule.yaml new file mode 100644 index 000000000..1787c88a0 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/alertingrule.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerts.enabled -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: rancher-cis-pod-monitor + namespace: {{ template "cis.namespace" . }} +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + podMetricsEndpoints: + - port: cismetrics +{{- end }} diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-aks-1.0.yaml new file mode 100644 index 000000000..1ac866253 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-aks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: aks-1.0 +spec: + clusterProvider: aks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-cis-1.5.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-cis-1.5.yaml new file mode 100644 index 000000000..39e8b834a --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-cis-1.5.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.5 +spec: + clusterProvider: "" + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-cis-1.6.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-cis-1.6.yaml new file mode 100644 index 000000000..93ba064f4 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-cis-1.6.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.6 +spec: + clusterProvider: "" + minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-eks-1.0.1.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-eks-1.0.1.yaml new file mode 100644 index 000000000..d1ba9d295 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-eks-1.0.1.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: eks-1.0.1 +spec: + clusterProvider: eks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-gke-1.0.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-gke-1.0.yaml new file mode 100644 index 000000000..72122e8c5 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-gke-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-k3s-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-k3s-cis-1.6-hardened.yaml new file mode 100644 index 000000000..3ca9b6009 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-k3s-cis-1.6-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-k3s-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-k3s-cis-1.6-permissive.yaml new file mode 100644 index 000000000..6d4253c6e --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-k3s-cis-1.6-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.5-hardened.yaml new file mode 100644 index 000000000..b5627f966 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.5-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.5-permissive.yaml new file mode 100644 index 000000000..95f80c0f0 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.5-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.6-hardened.yaml new file mode 100644 index 000000000..d75de8154 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.6-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.6-permissive.yaml new file mode 100644 index 000000000..52428f4a7 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke-cis-1.6-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.5-hardened.yaml new file mode 100644 index 000000000..3d83e9bd8 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.5-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.18.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.5-permissive.yaml new file mode 100644 index 000000000..f66aa8f6e --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.5-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.18.0" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.6-hardened.yaml new file mode 100644 index 000000000..3593bf371 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.6-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.6-permissive.yaml new file mode 100644 index 000000000..522f846ae --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/benchmark-rke2-cis-1.6-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/cis-roles.yaml new file mode 100644 index 000000000..23c93dc65 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/cis-roles.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-admin +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["create", "update", "delete", "patch","get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-view +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/configmap.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/configmap.yaml new file mode 100644 index 000000000..3de10e55e --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/configmap.yaml @@ -0,0 +1,18 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-clusterscanprofiles + namespace: {{ template "cis.namespace" . }} +data: + # Default ClusterScanProfiles per cluster provider type + rke: |- + <1.16.0: rke-profile-permissive-1.5 + >=1.16.0: rke-profile-permissive-1.6 + rke2: |- + <1.20.5: rke2-cis-1.5-profile-permissive + >=1.20.5: rke2-cis-1.6-profile-permissive + eks: "eks-profile" + gke: "gke-profile" + aks: "aks-profile" + k3s: "k3s-cis-1.6-profile-permissive" + default: "cis-1.6-profile" diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/deployment.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/deployment.yaml new file mode 100644 index 000000000..ab0bb3e24 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/deployment.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cis-operator + namespace: {{ template "cis.namespace" . }} + labels: + cis.cattle.io/operator: cis-operator +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + template: + metadata: + labels: + cis.cattle.io/operator: cis-operator + spec: + serviceAccountName: cis-operator-serviceaccount + containers: + - name: cis-operator + image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' + imagePullPolicy: Always + ports: + - name: cismetrics + containerPort: {{ .Values.alerts.metricsPort }} + env: + - name: SECURITY_SCAN_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} + - name: SECURITY_SCAN_IMAGE_TAG + value: {{ .Values.image.securityScan.tag }} + - name: SONOBUOY_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} + - name: SONOBUOY_IMAGE_TAG + value: {{ .Values.image.sonobuoy.tag }} + - name: CIS_ALERTS_METRICS_PORT + value: '{{ .Values.alerts.metricsPort }}' + - name: CIS_ALERTS_SEVERITY + value: {{ .Values.alerts.severity }} + - name: CIS_ALERTS_ENABLED + value: {{ .Values.alerts.enabled | default "false" | quote }} + - name: CLUSTER_NAME + value: '{{ .Values.global.cattle.clusterName }}' + resources: + {{- toYaml .Values.resources | nindent 12 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/network_policy_allow_all.yaml new file mode 100644 index 000000000..6ed5d645e --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ template "cis.namespace" . }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/patch_default_serviceaccount.yaml new file mode 100644 index 000000000..e78a6bd08 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ template "cis.namespace" . }}] + + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/rbac.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/rbac.yaml new file mode 100644 index 000000000..4ff88ea5f --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/rbac.yaml @@ -0,0 +1,43 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-operator-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cis-operator-installer +subjects: +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-cis-1.5.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-cis-1.5.yml new file mode 100644 index 000000000..d69ae9dd5 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-cis-1.5.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.5-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.5 diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-cis-1.6.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-cis-1.6.yaml new file mode 100644 index 000000000..8a8d8bf88 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-cis-1.6.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.6-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.6 diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-k3s-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-k3s-cis-1.6-hardened.yml new file mode 100644 index 000000000..095e977ab --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-k3s-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-k3s-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-k3s-cis-1.6-permissive.yml new file mode 100644 index 000000000..3b22a80c8 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-k3s-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.5-hardened.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.5-hardened.yml new file mode 100644 index 000000000..4eabe158a --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.5-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.5 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.5-hardened \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.5-permissive.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.5-permissive.yml new file mode 100644 index 000000000..1f78751d1 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.5-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.5 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.5-permissive diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.6-hardened.yaml new file mode 100644 index 000000000..d38febd80 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.6-permissive.yaml new file mode 100644 index 000000000..d31b5b0d2 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.5-hardened.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.5-hardened.yml new file mode 100644 index 000000000..83eb3131e --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.5-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.5-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.5-hardened diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.5-permissive.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.5-permissive.yml new file mode 100644 index 000000000..40dc44bdf --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.5-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.5-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.5-permissive diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.6-hardened.yml new file mode 100644 index 000000000..c7ac7f949 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.6-permissive.yml new file mode 100644 index 000000000..96ca1345a --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofile-rke2-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofileaks.yml new file mode 100644 index 000000000..ea7b25b40 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofileaks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: aks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: aks-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofileeks.yml new file mode 100644 index 000000000..3b4e34437 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofileeks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: eks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: eks-1.0.1 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofilegke.yml new file mode 100644 index 000000000..2ddd0686f --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/scanprofilegke.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/serviceaccount.yaml new file mode 100644 index 000000000..ec48ec622 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + name: cis-operator-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/validate-install-crd.yaml new file mode 100644 index 000000000..562295791 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/templates/validate-install-crd.yaml @@ -0,0 +1,17 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.5-rc3/values.yaml b/charts/rancher-cis-benchmark/2.0.5-rc3/values.yaml new file mode 100644 index 000000000..91e812a90 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.5-rc3/values.yaml @@ -0,0 +1,49 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + cisoperator: + repository: rancher/cis-operator + tag: v1.0.9 + securityScan: + repository: rancher/security-scan + tag: v0.2.8-rc2 + sonobuoy: + repository: rancher/mirrored-sonobuoy-sonobuoy + tag: v0.56.7 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +affinity: {} + +global: + cattle: + systemDefaultRegistry: "" + clusterName: "" + kubectl: + repository: rancher/kubectl + tag: v1.20.2 + +alerts: + enabled: false + severity: warning + metricsPort: 8080 diff --git a/index.yaml b/index.yaml index dee4eb894..d5b089311 100755 --- a/index.yaml +++ b/index.yaml @@ -2476,6 +2476,32 @@ entries: - assets/rancher-backup-crd/rancher-backup-crd-1.0.200.tgz version: 1.0.200 rancher-cis-benchmark: + - annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.25.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark + apiVersion: v1 + appVersion: v2.0.5-rc3 + created: "2022-07-07T17:21:12.504141377+05:30" + description: The cis-operator enables running CIS benchmark security scans on + a kubernetes cluster + digest: 03bf519b288547ee055ac0be116fa44cf0cdcada4cc5881fc7c19e8bce1fa76f + icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg + keywords: + - security + name: rancher-cis-benchmark + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.5-rc3.tgz + version: 2.0.5-rc3 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher @@ -2739,6 +2765,20 @@ entries: - assets/rancher-cis-benchmark/rancher-cis-benchmark-1.0.100.tgz version: 1.0.100 rancher-cis-benchmark-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd + apiVersion: v1 + created: "2022-07-07T17:21:12.505844459+05:30" + description: Installs the CRDs for rancher-cis-benchmark. + digest: 870254aaa154073b4115af1e0e406e99185f9fd2bc0176ab000ac41b457a7bf8 + name: rancher-cis-benchmark-crd + type: application + urls: + - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.5-rc3.tgz + version: 2.0.5-rc3 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true"